Author: adelbene
Date: Fri Nov 14 15:57:13 2014
New Revision: 1639680
URL: http://svn.apache.org/r1639680
Log:
Added missing files
Modified:
wicket/common/site/trunk/_site/guide/guide/src/docs/guide/security/security_4.gdoc
wicket/common/site/trunk/_site/guide/guide/src/docs/guide/security/security_5.gdoc
wicket/common/site/trunk/_site/guide/guide/src/docs/guide/security/security_6.gdoc
Modified:
wicket/common/site/trunk/_site/guide/guide/src/docs/guide/security/security_4.gdoc
URL:
http://svn.apache.org/viewvc/wicket/common/site/trunk/_site/guide/guide/src/docs/guide/security/security_4.gdoc?rev=1639680&r1=1639679&r2=1639680&view=diff
==============================================================================
---
wicket/common/site/trunk/_site/guide/guide/src/docs/guide/security/security_4.gdoc
(original)
+++
wicket/common/site/trunk/_site/guide/guide/src/docs/guide/security/security_4.gdoc
Fri Nov 14 15:57:13 2014
@@ -1,41 +1,40 @@
+In chapter 10.6 we have seen how to use encryted URLs using mapper
@CryotoMapper@. To encrypt/decryp page URLs @CryotoMapper@ uses an instance of
interface @org.apache.wicket.util.crypt.ICrypt@:
+{code}
+public interface ICrypt
+{
+ String encryptUrlSafe(final String plainText);
-Wicket internally uses an entity called package resource guard to protect
package resources from external access. This entity is an implementation of
interface @org.apache.wicket.markup.html.IPackageResourceGuard@.
+ String decryptUrlSafe(final String encryptedText);
+}
+{code}
-By default Wicket applications use as package resource guard class
@SecurePackageResourceGuard@, which allows to access only to the following file
extensions (grouped by type):
+The default implementation for this interface is class
@org.apache.wicket.util.crypt.SunJceCrypt@ which provides password-based
cryptography and is adopted by @CryotoMapper@ when we use its constructor
@CryptoMapper(IRequestMapper wrappedMapper, Application application)@. As we
hinted at the end of chapter 10.6, this constructor alone might not provide
enough security for our application. To strengthen the cryptography mechanism
used by @CryotoMapper@ we have two possible options.
+The first (and more obvious) is to use constructor
@CryptoMapper(IRequestMapper wrappedMapper, IProvider<ICrypt> cryptProvider)@
and give it an implementation of @org.apache.wicket.util.IProvider@ that
returns a custom @org.apache.wicket.util.crypt.ICrypt@.
-{table}
-File | Extensions
-*JavaScript files* |.js
-*CSS files* |.css
-*HTML pages* |.html
-*Textual files* |.txt
-*Flash files* |.swf
-*Picture files* |.png, .jpg, .jpeg, .gif, .ico, .cur, .bmp, .svg
-*Web font files* |.eot, .ttf, .woff
-{table}
+{note}
[email protected]@ is a single-method interface that acts as
object supplier:
-To modify the set of allowed files formats we can add one or more patterns
with method @addPattern(String)@. The rules to write a pattern are the
following:
+{code}
+public interface IProvider<T>
+{
+ T get();
+}
+{code}
-* patterns start with either a "+" or a "-". In the first case the pattern
will add one or more file to the set while starting a pattern with a â-â we
exclude all the files matching the given pattern. For example pattern
â-web.xmlâ excludes all web.xml files in all directories.
-* wildcard character â\*â is supported as placeholder for zero or more
characters. For example pattern â+\*.mp4â adds all the mp4 files inside
all directories.
-* subdirectories are supported as well. For example pattern
â+documents/\*.pdfâ adds all pdf files under âdocumentsâ directory.
Character â\*â can be used with directories to specify a nesting level. For
example â+documents/\*/\*.pdfâ adds all pdf files placed one level below
âdocumentsâ directory.
-* a double wildcard character â\*\*â indicates zero or more
subdirectories. For example pattern â+documents/\*\*/\*.pdfâ adds all pdf
files placed inside âdocumentsâ directory or inside any of its
subdirectories.
+{note}
-Patterns that allow to access to every file with a given extensions (such as
â+\*.pdfâ) should be always avoided in favour of more restrictive
expressions that contain a directory structure:
+The second option we have to strengthen URLs encryption is to register a
cipher factory at application level with method @setCryptFactory(ICryptFactory
cryptFactory)@ of interface @ISecuritySettings@:
{code}
-//Application class code...
@Override
-public void init()
-{
- IPackageResourceGuard packageResourceGuard =
application.getResourceSettings()
- .getPackageResourceGuard();
- if (packageResourceGuard instanceof SecurePackageResourceGuard)
- {
- SecurePackageResourceGuard guard = (SecurePackageResourceGuard)
packageResourceGuard;
- //Allow to access only to pdf files placed in the âpublicâ
directory.
- guard.addPattern("+public/*.pdf");
- }
+public void init() {
+ super.init();
+ getSecuritySettings().setCryptFactory(new
KeyInSessionSunJceCryptFactory());
+ setRootRequestMapper(new CryptoMapper(getRootRequestMapper(), this));
}
{code}
+
+
+This cipher factory is used by @CryotoMapper@ when we instantiate it with the
first contructor we have seen. Chiper factories are implementations of
interface @org.apache.wicket.util.crypt.ICryptFactory@.
+Class @org.apache.wicket.core.util.crypt.KeyInSessionSunJceCryptFactory@ is a
built-in cipher factory that generates a separate key for each user and stores
it in the HTTP session. This factory offers a stronger URLs encryption and can
help to protect our application against CSRF attacks
Modified:
wicket/common/site/trunk/_site/guide/guide/src/docs/guide/security/security_5.gdoc
URL:
http://svn.apache.org/viewvc/wicket/common/site/trunk/_site/guide/guide/src/docs/guide/security/security_5.gdoc?rev=1639680&r1=1639679&r2=1639680&view=diff
==============================================================================
---
wicket/common/site/trunk/_site/guide/guide/src/docs/guide/security/security_5.gdoc
(original)
+++
wicket/common/site/trunk/_site/guide/guide/src/docs/guide/security/security_5.gdoc
Fri Nov 14 15:57:13 2014
@@ -1,12 +1,41 @@
-To encrypt/decryp page URLs Wicket uses an instance of interface
@org.apache.wicket.util.crypt.ICrypt@:
+
+
+Wicket internally uses an entity called package resource guard to protect
package resources from external access. This entity is an implementation of
interface @org.apache.wicket.markup.html.IPackageResourceGuard@.
+
+By default Wicket applications use as package resource guard class
@SecurePackageResourceGuard@, which allows to access only to the following file
extensions (grouped by type):
+
+{table}
+File | Extensions
+*JavaScript files* |.js
+*CSS files* |.css
+*HTML pages* |.html
+*Textual files* |.txt
+*Flash files* |.swf
+*Picture files* |.png, .jpg, .jpeg, .gif, .ico, .cur, .bmp, .svg
+*Web font files* |.eot, .ttf, .woff
+{table}
+
+To modify the set of allowed files formats we can add one or more patterns
with method @addPattern(String)@. The rules to write a pattern are the
following:
+
+* patterns start with either a "+" or a "-". In the first case the pattern
will add one or more file to the set while starting a pattern with a â-â we
exclude all the files matching the given pattern. For example pattern
â-web.xmlâ excludes all web.xml files in all directories.
+* wildcard character â\*â is supported as placeholder for zero or more
characters. For example pattern â+\*.mp4â adds all the mp4 files inside
all directories.
+* subdirectories are supported as well. For example pattern
â+documents/\*.pdfâ adds all pdf files under âdocumentsâ directory.
Character â\*â can be used with directories to specify a nesting level. For
example â+documents/\*/\*.pdfâ adds all pdf files placed one level below
âdocumentsâ directory.
+* a double wildcard character â\*\*â indicates zero or more
subdirectories. For example pattern â+documents/\*\*/\*.pdfâ adds all pdf
files placed inside âdocumentsâ directory or inside any of its
subdirectories.
+
+Patterns that allow to access to every file with a given extensions (such as
â+\*.pdfâ) should be always avoided in favour of more restrictive
expressions that contain a directory structure:
{code}
-public interface ICrypt
+//Application class code...
+@Override
+public void init()
{
- String encryptUrlSafe(final String plainText);
-
- String decryptUrlSafe(final String encryptedText);
+ IPackageResourceGuard packageResourceGuard =
application.getResourceSettings()
+ .getPackageResourceGuard();
+ if (packageResourceGuard instanceof SecurePackageResourceGuard)
+ {
+ SecurePackageResourceGuard guard = (SecurePackageResourceGuard)
packageResourceGuard;
+ //Allow to access only to pdf files placed in the âpublicâ
directory.
+ guard.addPattern("+public/*.pdf");
+ }
}
{code}
-
-The default implementation for this interface
Modified:
wicket/common/site/trunk/_site/guide/guide/src/docs/guide/security/security_6.gdoc
URL:
http://svn.apache.org/viewvc/wicket/common/site/trunk/_site/guide/guide/src/docs/guide/security/security_6.gdoc?rev=1639680&r1=1639679&r2=1639680&view=diff
==============================================================================
---
wicket/common/site/trunk/_site/guide/guide/src/docs/guide/security/security_6.gdoc
(original)
+++
wicket/common/site/trunk/_site/guide/guide/src/docs/guide/security/security_6.gdoc
Fri Nov 14 15:57:13 2014
@@ -1,6 +1,6 @@
-In this chapter we have seen the components and the mechanisms that allow us
to implement security policies in our Wicket-based applications. Wicket comes
with an out of the box support for both authorization and authentication.
+ In this chapter we have seen the components and the mechanisms that allow us
to implement security policies in our Wicket-based applications. Wicket comes
with an out of the box support for both authorization and authentication.
The central element of authorization mechanism is the interface
@IAuthorizationStrategy@ which decouples our components from any detail about
security strategy. The implementations of this interface must decide if a user
is allowed to instantiate a given page or component and if she/he can perform a
given action on it.
